After generating a new self-signed certificate for your directory server, you try to log in to the console with your LDAP user account and get a fatal error
.
Error messages and logs
These errors might occur when an expired certificate is configured to authenticate SSL connections for the directory server or when the certificate path or credentials for a new certificate are misconfigured in PE or in the Java keystore file (.jks
)
In the console in External directory:
Something unexpected occurred: {"kind":"puppetlabs.rbac.ldap/ldap-exception","msg":"Encountered fatal error when communicating with directory service: server down (code 81). Check the logs for more information.","error-code":81}
In console-services.log
:
Key Text : "javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException"
"WARN [p.r.h.middleware] POST /rbac-api/v1/auth/token com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to send the LDAP message to server openldapServername:port: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Mar 17 08:06:30 PDT 2019 caused by java.security.cert.CertificateExpiredException: NotAfter: Sun Mar 17 08:06:30 PDT 2019:"
Version and installation information
PE version: All supported versions
Solution
Check that the connection and authentication with your external directory are configured correctly using the following steps.
Note: To complete the steps in this article you must download and install the Java Development Kit (JDK) on your local machine. We cannot troubleshoot third-party software.
Part one: Ensure that the path to the directory server’s certificate is configured correctly in PE.
Verify directory server certificates for Puppet Enterprise. To check your Java keystore file in the following steps, note the path set in rbac_ds_trust_chain
.
Part two: Ensure that your authentication credentials are configured correctly
To be able to communicate with the external directory service, either PE must be configured to use SSL to connect to the directory service or the path to the certificate for the directory service must be set. in your Java keystore file (.jks
).
-
Log in to the primary server (called the master in older versions of PE). Navigate to
/opt/puppetlabs/server/data/console-services/rbac
and check if there is a.jks
in the directory.If there is no
.jks
file:Confirm that SSL is enabled. In the console, click Access control > External directory. Ensure that Connect using: is set to SSL
If there is a
.jks
file:A. Make a copy of the
.jks
file and move it to your local machine.B. Open the
.jks
file with the java keytool by runningkeytool -list -v -keystore <JKS FILE NAME>.jks
. When you are prompted for a password, press Enter (or Return) to view the contents of the file, since no password has been set.C. Check the contents of the
.jks
file.-
Check
Alias Name
. Make sure thatfrom pathToMyCert
matches the path of therbac_ds_trust_chain
. -
Check
Valid from
. Make sure thatUntil
is a valid date in the future.
If this information matches, it confirms that the certificate exists and is configured correctly for the LDAP server.
-
Check other servers and restart services
-
Make sure the certificate value and content of
rbac_ds_trust_chain
on the primary server matches the configuration of other servers in your infrastructure. -
If you didn’t restart OpenLDAP server services after putting the new certificate in place, restart them.
-
If you made changes to the certificate, restart pe-console-services.
In the console, confirm that you can connect to the external directory service. If you can’t, please open a ticket.
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles